use des-ecb algo for encrypting uniqueSessionId

metlo-labs · Sep 23, 2022 · 85d2d73 · 85d2d73
1 parent 71846da
commit 85d2d73
Show file tree

Hide file tree

Showing 3 changed files with 20 additions and 49 deletions.
diff --git a/backend/src/services/authentication-config/index.ts b/backend/src/services/authentication-config/index.ts
@@ -2,7 +2,7 @@ import { AuthType } from "@common/enums"
 import { SessionMeta } from "@common/types"
 import { AppDataSource } from "data-source"
 import { ApiTrace, AuthenticationConfig } from "models"
-import { encrypt, generate_iv } from "utils/encryption"
+import { encryptEcb } from "utils/encryption"
 
 export class AuthenticationConfigService {
   static async setSessionMetadata(apiTrace: ApiTrace) {
@@ -14,8 +14,6 @@ export class AuthenticationConfigService {
       return
     }
     const key = process.env.ENCRYPTION_KEY
-    const encryptionKey = Buffer.from(key, "base64")
-    const keypairIv = generate_iv()
 
     const requestHeaders = apiTrace.requestHeaders
     const successfulAuth =
@@ -35,20 +33,12 @@ export class AuthenticationConfigService {
             const decodedUser = Buffer.from(encodedValue, "base64")
               ?.toString()
               ?.split(":")[0]
-            const { encrypted, tag } = encrypt(
-              encodedValue,
-              encryptionKey,
-              keypairIv,
-            )
+            const encrypted = encryptEcb(encodedValue, key)
             sessionMeta = {
               authenticationProvided: true,
               authenticationSuccessful: successfulAuth,
               authType: authConfig.authType,
-              uniqueSession: {
-                key: encrypted,
-                iv: keypairIv.toString("base64"),
-                tag: tag.toString("base64"),
-              },
+              uniqueSessionKey: encrypted,
               user: decodedUser,
             }
           }
@@ -57,61 +47,37 @@ export class AuthenticationConfigService {
           const authHeader = authConfig.headerKey ?? ""
           if (header.name.toLowerCase() === authHeader.toLowerCase()) {
             const headerValue = header.value
-            const { encrypted, tag } = encrypt(
-              headerValue,
-              encryptionKey,
-              keypairIv,
-            )
+            const encrypted = encryptEcb(headerValue, key)
             sessionMeta = {
               authenticationProvided: true,
               authenticationSuccessful: successfulAuth,
               authType: authConfig.authType,
-              uniqueSession: {
-                key: encrypted,
-                iv: keypairIv.toString("base64"),
-                tag: tag.toString("base64"),
-              },
+              uniqueSessionKey: encrypted,
             }
           }
           break
         case AuthType.SESSION_COOKIE:
           const cookieName = authConfig?.cookieName ?? ""
           if (header.name.toLowerCase() === cookieName.toLowerCase()) {
             const cookieValue = header.value
-            const { encrypted, tag } = encrypt(
-              cookieValue,
-              encryptionKey,
-              keypairIv,
-            )
+            const encrypted = encryptEcb(cookieValue, key)
             sessionMeta = {
               authenticationProvided: true,
               authenticationSuccessful: successfulAuth,
               authType: authConfig.authType,
-              uniqueSession: {
-                key: encrypted,
-                iv: keypairIv.toString("base64"),
-                tag: tag.toString("base64"),
-              },
+              uniqueSessionKey: encrypted,
             }
           }
           break
         case AuthType.JWT:
           const jwtHeader = authConfig.headerKey ?? ""
           if (header.name.toLowerCase() === jwtHeader.toLowerCase()) {
-            const { encrypted, tag } = encrypt(
-              header.value,
-              encryptionKey,
-              keypairIv,
-            )
+            const encrypted = encryptEcb(header.value, key)
             sessionMeta = {
               authenticationProvided: true,
               authenticationSuccessful: successfulAuth,
               authType: authConfig.authType,
-              uniqueSession: {
-                key: encrypted,
-                iv: keypairIv.toString("base64"),
-                tag: tag.toString("base64"),
-              },
+              uniqueSessionKey: encrypted,
             }
             const decodedPayload = JSON.parse(
               Buffer.from(

diff --git a/backend/src/utils/encryption.ts b/backend/src/utils/encryption.ts
@@ -1,6 +1,7 @@
 import crypto from "crypto"
 
 const algorithm = "aes-256-gcm"
+const ecbAlgorithm = "des-ecb"
 
 /**  encrypts ascii/utf-8 text into a base64-encoded string */
 const encrypt = (
@@ -14,6 +15,14 @@ const encrypt = (
   return { encrypted: enc, tag: cipher.getAuthTag() }
 }
 
+export const encryptEcb = (text: string, key: string): string => {
+  const keyBuffer = Buffer.from(key, "base64").subarray(0, 8)
+  const cipher = crypto.createCipheriv(ecbAlgorithm, keyBuffer, null)
+  let enc = cipher.update(text, "utf8", "base64")
+  enc += cipher.final("base64")
+  return enc
+}
+
 /**  decrypt decodes base64-encoded ciphertext into a utf8-encoded string */
 const decrypt = (
   encrypted: string,

diff --git a/common/src/types.ts b/common/src/types.ts
@@ -30,13 +30,9 @@ export interface Meta {
 
 export interface SessionMeta {
   authenticationProvided: boolean
-  authenticationSuccessful?: boolean
+  authenticationSuccessful: boolean
   authType: AuthType
-  uniqueSession?: {
-    key: string
-    iv: string
-    tag: string
-  }
+  uniqueSessionKey?: string
   user?: string
 }